For several years now there has been a growing industry trend towards consolidating user authentication mechanisms by integrating applications into a single sign-on solution. This has the benefit of allowing end-users to authenticate to a variety of different applications throughout the organization using a single set of credentials. For end-users, the benefit is obvious. One set of credentials to remember, regardless of which application they're authenticating to. For the organization though, providing your users with a seamless and transparent single sign-on solution has tremendous security benefits. The first being one security password policy to enforce. Different applications typically implement their own unique password complexity requirements and password expiration policies that are essentially impossible to synchronize across various autonomous systems. The end result is usually either passwords being written down on sticky notes and 'hidden' under keyboards, or routine and unnecessary calls made to the helpdesk to reset passwords for end-users. For these reasons and others, we have received countless requests from people just like you throughout the last few years, requesting Orion support an open standards method of single sign-on.
SAML (Security Assertion Markup Language) being the industry standard, was the most oft-requested solution, as there is a wide variety of commercial, free, and open source solutions already available, implemented, and operating in customer environments today. Many of these SAML providers offer the additional added security benefit of supporting multi-factor authentication, such as hardware or software tokens, biometrics such as fingerprints, or facial recognition, and even two-step authentication via cellular using SMS text messages or native mobile apps. Supporting multi-factor authentication has been another frequently requested feature we've also been eager to deliver upon, and with the addition of SAML support to the Orion Platform, this could now become a reality. To that end, this release of NPM 12.4 includes native out-of-the-box support for SAML 2.0 authentication, allowing users to leverage their single sign-on credentials to authenticate to the Orion web console, regardless of the type of credentials used.
The following steps outlined below will walk you through how to utilize SAML authentication with Orion. For demonstration purposes, I'll be using Okta as my SAML provider, though you could use ADFS (Active Directory Federation Services) or virtually any other SAML 2.0 provider. The instructions assume you already have Okta installed, running, and users created.
Verify Ports are Open
Once you have NPM 12.4 installed in your environment, ensure the Orion server can access Okta by opening a browser on your Orion server and logging into the Okta web interface. This will ensure any ports required between Okta and the Orion server are open. Similarly, you also want to verify your client workstations are also able to access both the Orion web interface, as well as the Okta web portal.
Create Okta Application
1. Once you've verified all necessary ports are opened, you'll want to login to Okta and click 'Admin' from the top menu to access the Okta management interface.
2. Click the carrot next to 'Developer Console' if available to expose a drop-down menu. Select 'Classic UI' from the list to switch to the Okta classic interface
3. Next, From the Administration page, click 'Applications' from the top menu bar. A drop-down menu will appear. Click on 'Applications' from the list.
4. On the 'Applications' page, click 'Add Application'.
5. Next, click 'Create New App' on the 'Add Application' page
6. Select 'SAML 2.0' from the list of available Sign on methods and click 'Create'.
7. In the 'General Settings' step, enter a name for your Orion application in the field next to 'App Name' I named my application 'aLTeReGo's Orion'.
At this point, you can add an optional Icon that will appear when the user accesses this application directly from within Okta's web portal. If you're looking for an App logo icon, I'm somewhat partial to the one below. Once you've entered a name for your new Okta application click 'next'.
7. Open another browser window or tab to obtain your 'Single sign-on URL' and 'Audience URI' required for the next step in the Okta application configuration wizard. Log into your Orion web console and go to [Settings > All Settings > SAML Configuration] and click on the button entitled 'Add Identity Provider'.
8. Copy the 'Single Sign-on Service URL' to your clipboard and paste it into Okta's 'Single Sign o URL' field in the SAML settings step of the wizard.
9. From Orion's 'Add Identity Provider' page, copy the 'Entity ID' to your clipboard and paste it into the 'Audience URI (SP Entity ID)' field of Okta's SAML configuration wizard.
10. When done, the 'General' section of your Okta's SAML Settings Configuration should look similar to the image below.
11. Scroll down Okta's SAML Settings page until you reach the 'Attribute Statements (Optional)' section. Create three attributes using the values specified in the following table.
12. Scroll slightly further down the same page to the section entitled 'Group Attribute Statements (Optional) and create a single attribute using the values shown in the table below
Once you've completed steps 11 and 12, verify your 'Attribute Statements (Optional)' and 'Group Attribute Statements (Optional)' field look identical to the following image and click 'Next'.
13. If prompted to 'Help Okta support understand how you configured this application' select 'I'm an Okta customer adding an internal app' if asked 'Are you a customer or partner'. Similarly, if you are asked to define the 'App type' select 'This is an internal app that we have created' and click 'Finish'.
Grant Okta Users Access to Orion
1. Edit the Okta application you just created and click the 'Assignments' tab in the top navigation. Then click the 'Assign' button
2. Select from the list of existing Okta users by clicking the 'Assign' button next to their name. Once you've selected all users you wish to access the Orion web console using single sign-on, click 'Done'.
Configuring SAML Authentication in Orion
1. Return back to the Orion Web Console and go to [Settings > All Settings > SAML Configuration] and click 'Add Identity Provider'.
2. In the 'Add Identity Provider' window click 'Next'
3. In the 'Identity Provider Name' enter a friendly name of your SAML provider. Note that the name entered here will appear to your end users when logging into the Orion web console. In my configuration, I named my Identity Provider simply 'Okta' as this is a name well known to my users.
4. In a separate browser Window or tab return to the Okta administration console, edit the application you created earlier and click on the 'Sign On' tab. Once there, click on the 'View Setup Instructions' button pictured below.
5. Copy the 'Identity Provider Single Sign-On URL' from Okta and paste it into the 'SSO Target URL (Endpoint)' field in Orion.
6. Copy the 'Identity Provider Issuer' from Okta, and past this information into the 'Issuer (Entity ID)' field in Orion
7. Copy the 'X.509 Certificate' in its entirety, including '-----BEGIN CERTIFICATE-----' through to -----END CERTIFICATE----- and paste this into the 'Public Certificate' field in Orion.
8. When you're done, the 'Add Identity Provider' wizard should look similar to the following. Once you've validated your changes, click 'Next'.
9. On the final step of the 'Add Identity Provider Wizard' simply click 'Save'.
10. When you're done you will be returned to the 'SAML Configuration' page. At the top, you will find a slider which allows you to globally enable or disable SAML authentication for Orion. By default, it is enabled once SAML authentication is successfully configured.
Creating SAML User Accounts in Orion
Now that you have SAML configured both in Okta and Orion, you'll need to create matching SAML user accounts in Orion so can assign permissions and apply any view restrictions you desire, no different than you would any other user in Orion.
1. To get started navigate to [Settings > All Settings > Manage Accounts] and click 'Add New Account'.
2. In the list of account types to create, choose 'SAML individual account' and click 'Next'.
3. In the 'Enter Account Info' step, enter the username of the user you wish to access Orion using SAML authentication into the 'Name ID' field. It's important that this name match identically to what appears in Okta or the user will be unable to login to Orion. Once you've entered the username into the field click 'Next'.
4. In the final step of the Wizard, assign any special permissions, views, menu bars, or view limitations you wish the user to have when the login to Orion. When complete, scroll to the bottom of the page and click 'Submit' to save these changes.
Testing your SAML Authentication
1. To test your SAML authentication, log out of the Orion web console or open a different browser from the one you're currently logged in with. E.G. if you're using Google Chrome to configure Orion, open Firefox to test your SAML configuration.
2. When you first access the Orion login page you may notice you now have a new option that wasn't there prior to configuring SAML authentication. Below the usual 'Login' button, there is now an additional button entitled 'Login with Okta'. Okta is the friendly name we gave to our SAML provider in step #3 of 'Configuring SAML Authentication in Orion' above. Click the button 'Login with Okta' to proceed.
3. You should now be redirected to the Okta web portal. If you're not already logged into Okta, you will be prompted to authenticate. Simply enter your Okta credentials and click 'Sign in'
4. Once you've successfully authenticated to Okta, you should be immediately redirected back to the Orion web console and transparently authenticated
As stated earlier, this walkthrough is simply an example of using individual user accounts with Okta. If you've configured Orion SAML authentication, we'd love to hear which identity provider you're using and whether you're leveraging individual user accounts or groups. Also, if you have any tips and tricks or better yet, a walkthrough on how you configured a different identity provider, we'd love to hear from you!
Note that SAML can be used simultaneously in conjunction with all other existing authentication mechanisms supported by Orion, including both Active Directory user and group authentication via LDAP or MSAPI, as well as local Orion user accounts. SAML does, however, require that your IIS be configured to use Forms Based Authentication (default behavior) and cannot be used with Windows Integrated Authentication (optional setting located in the Configuration Wizard).